Skip to content

chore(deps): update module go.yaml.in/yaml/v2 to v3 #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module go.yaml.in/yaml/v2 to v3 #50

wants to merge 1 commit into from

Conversation

@red-hat-konflux-kflux-prd-rh03
Copy link
Contributor

@red-hat-konflux-kflux-prd-rh03 red-hat-konflux-kflux-prd-rh03 bot commented Nov 5, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
go.yaml.in/yaml/v2 v2.4.3 -> v3.0.4 age confidence

Release Notes

yaml/go-yaml (go.yaml.in/yaml/v2)

v3.0.4

Compare Source

v3.0.3

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@github-actions
Copy link

github-actions bot commented Nov 5, 2025

⚠️ This PR contains a major version update and requires manual review before merging. Add the no-automerge label if you want to prevent auto-merge in the future.

1 similar comment
@github-actions
Copy link

github-actions bot commented Nov 5, 2025

⚠️ This PR contains a major version update and requires manual review before merging. Add the no-automerge label if you want to prevent auto-merge in the future.

@claude
Copy link

claude bot commented Nov 5, 2025

PR Review: Update module go.yaml.in/yaml/v2 to v3

Overview

This PR proposes updating the go.yaml.in/yaml/v2 dependency from v2.4.3 to v3.0.4. After reviewing the changes and codebase, I have identified critical issues that need to be addressed before merging.

🚨 Critical Issues

1. Duplicate Dependency Entry

Location: go.mod:62-63

The PR introduces a duplicate entry for go.yaml.in/yaml/v3:

go.yaml.in/yaml/v3 v3.0.4 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect

Impact: This is invalid Go module syntax and will cause build failures.

Fix Required: Remove one of the duplicate lines.

2. Incorrect Module Path Change

Issue: The PR changes from go.yaml.in/yaml/v2 to go.yaml.in/yaml/v3, but this is not the standard yaml library.

Background:

  • The correct module path should be gopkg.in/yaml.v2gopkg.in/yaml.v3
  • The go.yaml.in domain appears to be non-standard or possibly a typo
  • Looking at go.sum:219-223, the project uses both gopkg.in/yaml.v2 (lines 219-221) and gopkg.in/yaml.v3 (lines 222-223)

Current state in go.sum:

gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

Analysis: The project doesn't directly import any yaml libraries. Both v2 and v3 are transitive dependencies from:

  • CAPI libraries (cluster-api, controller-runtime)
  • Testing frameworks (Ginkgo/Gomega)
  • AWS SDK

🔍 Code Quality Assessment

Positive Aspects:

✅ The project doesn't directly use the yaml library, so there's no breaking change risk in application code
✅ This is a transitive dependency update
✅ Automated dependency management via Renovate Bot

Concerns:

1. Module Path Confusion
The diff shows changing go.yaml.in/yaml/v2 to go.yaml.in/yaml/v3, but:

  • This module path is unusual and potentially non-canonical
  • The standard yaml library uses gopkg.in/yaml.vX format
  • Need to verify this is the intended module

2. Version Compatibility

  • v2 → v3 is a major version upgrade
  • While not used directly by this codebase, transitive dependencies may have compatibility requirements
  • Some dependencies may explicitly require v2

3. Missing Validation
The PR description doesn't indicate:

  • Whether tests were run
  • Whether the duplicate entry was detected
  • Whether this resolves any specific issue

🧪 Testing Recommendations

Before merging, please:

  1. Fix the duplicate entry in go.mod
  2. Run the full test suite: 
    make test
  3. Verify the build succeeds: 
    make build
  4. Check for go.mod tidiness: 
    go mod tidy
git diff go.mod go.sum
  5. Verify no dependency conflicts: 
    go mod verify

🛡️ Security Considerations

✅ No direct security concerns identified

  • The yaml library is only used transitively
  • The v3 branch is maintained and receives security updates
  • However, ensure all transitive dependencies support v3

📊 Performance Considerations

⚠️ Potential Impact:

  • yaml.v3 has performance improvements over v2
  • However, both versions may now be included in the binary if dependencies require different versions
  • This could increase binary size

Recommendation: Audit dependencies to ensure they all support v3 to avoid dual-loading both versions.

💡 Recommendations

Before Merging:

  1. MUST FIX: Remove the duplicate go.yaml.in/yaml/v3 entry
  2. ⚠️ Investigate: Confirm go.yaml.in is the correct module path (vs. gopkg.in)
  3. ⚠️ Verify: Check if any dependencies explicitly require yaml.v2
  4. Test: Run full test suite including integration tests
  5. Validate: Ensure go mod tidy produces no additional changes

After Investigation:

  • If go.yaml.in is correct: Fix the duplicate and test thoroughly
  • If gopkg.in is correct: Close this PR and investigate why Renovate is suggesting the wrong path
  • Consider using go mod why go.yaml.in/yaml/v2 and go mod why gopkg.in/yaml.v2 to understand the dependency chain

✅ Approval Status

Status:CHANGES REQUESTED

Reason: Duplicate dependency entry will cause build failures. Cannot merge as-is.

Next Steps:

  1. Fix the duplicate line in go.mod
  2. Run tests to verify functionality
  3. Consider investigating the module path discrepancy
  4. Update the PR if additional changes are needed

Note: This is an automated dependency update from Renovate Bot. While automation is valuable, this PR demonstrates the importance of validation checks before merge. Consider adding a CI check that runs go mod tidy and verifies no duplicates exist.

🤖 Generated with Claude Code (https://claude.com/claude-code)

@red-hat-konflux-kflux-prd-rh03
chore(deps): update module go.yaml.in/yaml/v2 to v3
92edf10 
Signed-off-by: red-hat-konflux-kflux-prd-rh03 <206760901+red-hat-konflux-kflux-prd-rh03[bot]@users.noreply.github.com>
@red-hat-konflux-kflux-prd-rh03 red-hat-konflux-kflux-prd-rh03 bot force-pushed the konflux/mintmaker/main/go.yaml.in-yaml-v2-3.x branch from 3ae0802 to 92edf10 Compare November 6, 2025 04:47
@github-actions
Copy link

github-actions bot commented Nov 6, 2025

⚠️ This PR contains a major version update and requires manual review before merging. Add the no-automerge label if you want to prevent auto-merge in the future.

1 similar comment
@github-actions
Copy link

github-actions bot commented Nov 6, 2025

⚠️ This PR contains a major version update and requires manual review before merging. Add the no-automerge label if you want to prevent auto-merge in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant